IBM Cloud Docs
Increasing account limits

Increasing account limits

Default maximum limits are set on entities in your account such as access policies, service IDs, trusted profiles, identity providers (IdPs), and API keys. It is possible that specific use cases require an extended limit and you can request an increase for your chosen entity. You must be the account owner or administrator for all account management services to check how many policies exist in the account. However, requests to increase limits are reviewed on a case by case basis and there is no guarantee that an increase will be granted.

To review the default limits for your account, see Known issues and limitations.

Increasing limits for IAM identity entities

When your account approaches the maximum limit of one of the entities, you receive a warning in the Activity Tracker event for creating an entity. These events show you the current limits. See the following example:

Nov 26 16:46:01 iamid-6-11-12270-af4d601-cd77fd6bd-86gp7 at.log INFO IAM Identity Service: create account-serviceid 12345678-90ab-cdef-0123-456789abcdef -failure Warning: You have reached 100% of the maximum number of allowed Service IDs in account 11112222333344445555666677778888. Your current count is 3000, and the limit is 3000.

A limit increase can be requested for the following types of entities:

  • API keys per identity
  • Service IDs
  • Identity providers (IdPs)
  • Trusted profiles
  • Dynamic rules

You can request a limit increase for the chosen entities only if the following criteria is met:

  • You must be the account owner or an administrator on all account management services.
  • You have taken efforts to clean up and reduce the number of entities in the account.
  • You must have a specific, reasonable use case for requesting an increase.

Requesting a limit increase for different entities

If you meet all of the previously listed criteria, you can request a limit increase for the chosen entities by submitting a support case in the console. In the case, provide all of the following information. Each piece of information is required for the processing of your request.

  • Case title of Request to increase account <entity> limit
  • The use case for the limit increase
  • Information on all efforts taken to reduce the number of <entities> on the account
  • Account ID
  • Note how many extra <entities> in the account are required

Then, your request is reviewed and you are notified of the outcome through the support case.

If the request is approved, the limits for your account are changed.

Managing policy limits

If you aren't sure how many policies are in your account, and you want to ensure that you avoid reaching the limit, you can check how many policies are in your account and work to reduce policies as you approach the limit. You must be the account owner or administrator for All Account Management services and All Identity and Access enabled services to check how many policies exist in the account.

Viewing the total number of policies per account by using the API

To get the total number of policies per account, you can use the IAM Policy Management API:

  1. Log in to IBM Cloud® CLI. If you have multiple accounts, you are prompted to select which account to use. If you do not specify a region with the -r flag, you must also select a region.

    ibmcloud login

    If your credentials are rejected, you might be using a federated ID. To log in with a federated ID, use the --sso flag. See Logging in with a federated ID for more details.

    If it's your first time using the IBM Cloud CLI, check out the getting started tutorial.

  2. Generate your IAM access token:

    ibmcloud iam oauth-tokens

  3. Enter the following curl command to get a total number of policies in one account. You can find the correct value for the account_id query parameter by running the ibmcloud account list command. The account ID is in the Account GUID column. You might want to install jq to format the JSON, which is used in the following examples:

    curl --location --request GET "https://iam.cloud.ibm.com/v1/policies?account_id=<account_id>" \
    --header "Content-Type: application/json" \
    --header "Authorization: <IAM TOKEN>" | jq -r .policies | jq '. | length'

In the following example output, the last line displays the total number of policies:

 % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                  Dload  Upload   Total   Spent    Left  Speed
100  2919  100  2919    0     0   3918      0 --:--:-- --:--:-- --:--:--  3912
351

Install jq to format the JSON. The filter | jq -r .policies | jq '. | length' counts the number of policies in the account. Without this, a list of all policies returns.

Viewing the total number of policies per account by using the CLI

To get the total number of policies per account by using the CLI, use the following command:

ibmcloud iam account-policies --output json | jq '. | length'

The following example output displays the total number of policies:

351

Install jq to format the JSON. The filter | jq '. | length' counts the number of policies in the account. Without this, a list of all policies returns.

Viewing the total of a specific type of policies per account

To get the total number of policies for a specific subject, you can use the IBM Cloud CLI:

Log in, and select your account to run the appropriate CLI command. You might want to install jq to format JSON in the CLI output.

To get count of policies for a service ID:

ibmcloud iam service-policies <service-id> -f --output JSON | jq '. | length'

To get count of policies for a username(email):

ibmcloud iam user-policies <username> -f --output JSON | jq '. | length'

To get count of policies for an access group ID:

ibmcloud iam access-group-policies <access-group> -f --output JSON | jq '. | length'

Install jq to format the JSON. The filter | jq '. | length' counts the number of policies in the account. Without this, a list of all policies returns.

Managing rule limits

If you aren't sure how many context-based restricitons rules are in your account, and you want to ensure that you avoid reaching the limit, you can check how many rules are in your account and work to reduce policies as you approach the limit.

You must be the account owner or administrator for All Account Management services and All Identity and Access enabled services to check how many rules exist in the account.

Viewing the total number of rules per account by using the API

To get the total number of rules per account, use the Context-based restrictions API:

  1. Log in to IBM Cloud® CLI. If you have multiple accounts, you are prompted to select which account to use. If you do not specify a region with the -r flag, you must also select a region.

    ibmcloud login

    If your credentials are rejected, you might be using a federated ID. To log in with a federated ID, use the --sso flag. See Logging in with a federated ID for more details.

    If it's your first time using the IBM Cloud CLI, check out the getting started tutorial.

  2. Generate your IAM access token:

    ibmcloud iam oauth-tokens

  3. Enter the following curl command to get a total number of rules in one account. You can find the correct value for the account_id query parameter by running the ibmcloud account list command. The account ID is in the Account GUID column. You might want to install jq to format the JSON, which is used in the following examples:

    curl --location --request GET "https://cbr.cloud.ibm.com/v1/rules?account_id=<account_id>"     --header "Content-Type: application/json"     --header "Authorization: <IAM TOKEN>" | jq '.rules | length'

In the following example output, the last line displays the total number of rules:

% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3422  100  3422    0     0   7830      0 --:--:-- --:--:-- --:--:--  7830
4

Viewing the total number of rules per account by using the CLI

To get the total number of rules per account, use the Context-based restrictions CLI:

ic cbr rules --output json | jq '.rules | length'

The following example output displays the total number of rules:

4

Requesting a policy and rule shared limit increase

You can request a limit increase for the total number of policies and rules that are allowed in the account only if the following criteria is met:

  • You must be the account owner or an administrator on all account management services.
  • Access groups are currently used to limit the overall number of policies in the account.
  • Use policies for resources grouped by resource group.
  • You have taken efforts to clean up and reduce the number of policies in the account.
  • You have taken efforts to clean up and reduce the number of rules in the account.

IAM policies and context-based restrictions rules share a combined limit.

If you meet all of the listed criteria, you can request a policy limit increase by submitting a support case in the console. In the case, provide all of the following information. Each piece of information is required for processingof your request.

  • Case title of Request to increase account policy limit
  • The use case for the extra policies
  • Information on all efforts taken to follow the Best practices for organizing resources and assigning access to reduce the number of policies on the account
  • Account ID
  • Note how many extra policies in the account are required
  • If you are requesting an increase per subject, note how many extra policies per subject are required
  • If you are requesting an increase of policies with access management tags, note how many extra policies with access management tags are required
  • An estimate of when you expect or plan to create extra policies

Your request is then reviewed and you are are notified of the outcome through the case.